Multiple threat actors have been exploiting two zero-day flaws impacting Ivanti's Connect Secure VPN and Policy Secure network access control (NAC) devices since January 11, 2024, cybersecurity firm Volexity has warned. All supported versions of the Ivanti Connect Secure and Policy Secure Gateways are currently at risk.
The flaws (CVE-2023-46805, CVE-2024-21887) were discovered by Volexity in December last year during an investigation into a security incident at one of its customers. Researchers found that an attacker was placing web shells on multiple internal and external-facing web servers using the exploit chain involving two above-mentioned zero-day flaws.
The threat actor, tracked by Volexity as UTA0178, used the exploits to steal configuration data, modify existing files, download remote files, and reverse tunnel from the ICS VPN appliance.
The attackers also altered legitimate ICS components and made changes to the system to evade the ICS Integrity Checker Tool and backdoored a legitimate CGI file on the ICS VPN appliance to allow command execution. The threat actor then exfiltrated credentials and used them to pivot to other internal systems.
According to new findings from Mandiant, the threat actor, which it tracks as UNC5221, deployed five custom malware tools called ThinSpool, LightWire, WireFire, WarpWire and ZipLine.
“Mandiant has determined that ThinSpool acts as a key tool for both persistence and detection evasion, in addition to being the initial dropper for the LightWire web shell used by UNC5221 for post-exploitation activity. The LightWire and WireFire web shells used by UNC5221, post-compromise, are lightweight footholds enabling further and continued access to the CS appliances,” the researchers wrote in a report.
Warpwire is credential-harvesting malware written in Javascript and Zipline is a passive backdoor.
Predictably, after the details of the CVE-2023-46805 authentication bypass and the CVE-2024-21887 command injection vulnerabilities were made public, multiple threat actors were quick to weaponize the flaws.
“Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals,” Volexity said in a new report, noting that it found “evidence of compromise of over 1,700 devices worldwide.”
The threat actors backdoored compromised devices using a slightly modified Giftedvisitor webshell variant, Volexity said.
The list of victims includes global government and military departments, national telecommunications companies, defense contractors, technology firms, banking, finance, and accounting organizations, worldwide consulting entities, and aerospace, aviation, and engineering firms.
Organizations that are using Ivanti Connect Secure VPN and still have not applied the temporary workaround provided by Ivanti are strongly advised to implement it as soon as possible. As of version 9.1R12, Ivanti started providing a built-in Integrity Checker Tool that can be run as a periodic or scheduled scan.
Ivanti said that patches will be released on a staggered schedule between January 22 and February 19, 2024. Meanwhile, the company provided new recovery guidance for customers.
